Azure Azure Active Directory Security

Enabling MFA by default for new users using Azure AD Identity Protection

During my session at the Global Azure Boot Camp about Azure Active Directory, somebody for the audience asked me if you enable MFA by default for each user. Using the regular MFA portal (which is still outside the Azure portal), that was not possible.

After some digging and researching, there is a way to do this. However this will require a Azure AD Premium P2 license. Azure AD Premium has a service called Azure Active Directory Identity Protection. This service is very similar to Conditional Access but is completely focused on the Identity Protection part. For example, you can use this service to detect risky sign ins, users at risk, and so much more. At the same time you can use the service to create policy to create remediation for these vulnerabilities.

This is the service you can use to enable MFA by default. Azure AD Identity Protection is the service you need to look for in your Azure Portal. Go to Configuration > MFA registration. Create the right settings for your MFA configuration. If you want to exclude certain users from the MFA requirement, you can do that under Assignments > Users > Exclude. Enforce Policy and click Save

MFAConfiguration.PNG

So time to test this policy. I created a new user on my local Active Directory and synchronized it to my Azure Active Directory. When the users logs in, he gets the following screen, confirming MFA is active.

MFAPolicyTest.PNG

Again you need Azure Active Directory Premium for this, but it does work.

One comment

  1. Well it certainly makes the user set up MFA, however, after that and they log out and back in (incognito or inPrivate browser … so no cache involved) they are not prompted with MFA verification at all. This seems to just register them. In order for it to take affect I still have to go in and “enable or enforce” it for that particular user through the O365 Admin Portal. Yes they have Azure AD Premium 2 and appropriate O365 license for the account.

    Not sure if I missed something but it is not working for me as I thought was intended. Still looks like Global Admin is going to be the only one to set these up one at a time.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.